Azure API Management: Oauth2 with backend API - api

I have a backend API I want to proxy by using Azure API Management.
This backend API requires me to provide a Bearer Oauth2 token.
I want to use Azure APIM to handle the Oauth2 flows for me, and I want to expose a very simple API that will be consumed by client apps. I want to avoid my client App to use Oauth2.
How can I handle it with APIM? I found a lot of samples demonstrating how to protect a backend API with Oauth2, but it is not the use case I'm trying to implement.
Thanks.

Here is a policy snippet to make this work:
<send-request ignore-error="true" timeout="20" response-variable-name="bearerToken" mode="new">
<set-url>{{authorizationServer}}</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>
#{
return "client_id={{clientId}}&resource={{scope}}&client_secret={{clientSecret}}&grant_type=client_credentials";
}
</set-body>
</send-request>
<set-header name="Authorization" exists-action="override">
<value>
#("Bearer " + (String)((IResponse)context.Variables["bearerToken"]).Body.As<JObject>()["access_token"])
</value>
</set-header>
<!-- We do not want to expose our APIM subscription key to the backend API -->
<set-header exists-action="delete" name="Ocp-Apim-Subscription-Key"/>
From: https://github.com/orangetoken/api-management-policy-snippets/blob/master/Snippets/Add%20Azure%20AD%20OAuth2%20bearer%20token%20to%20request%20to%20AD%20protected%20API.xml
And on the APIM policy snippets branch from the APIM team
https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Get%20OAuth2%20access%20token%20from%20AAD%20and%20forward%20it%20to%20the%20backend.policy.xml

What you need to do is add a header to request - use set-header policy to Set Authorization header to a desired value. That would work well if you can hardcode token in policy.
If you cant - the you have to organize OAuth flow inside policy using send-request. In short, what you'll be doing is sending you app id and secret to OAuth endpoint and parsing its response to obtain token and attach it to request.

Related

Should I use the Authorization header for API keys

We're going to expose a custom built API (.NET) through Azure API Management. We want to conform to well-known standards where ever possible, so we don't surprise our API consumers. The API is secured through an API key which users generate from APIM's Developer Portal.
My understanding is that the Authorization header should be used for authentication and authorization purposes.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
But strangely, API-Key is not included as an authentication scheme.
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes
Should API consumers use an authorization header to authenticate?
E.g. Authorization: API-Key xxx-xxx
Or a custom header.
E.g. my-key:xxx-xxx
Technically, you shouldn't need any API-key if you have a token in the authorization header. I assume API-key/client and secret key are already used to generate a token. When the client sends token via an authorization header, the API owner validates your token and returns a response.

Generate Access Token and validate against IdentityServer4 through Azure API Management

I have an external endpoint which is going to hit the Azure API gateway and that would route it to the backend API which is protected by IdentityServer4 authorization.
I am getting the access token if I hit it through the Postman client with the interactive UI from IdentityServer.
Is there a way I can get the access token required from the Azure API Management to validate against the IdentityServer4 and append it to the header in the request to the backend API?
Yes it is possible to achieve it through custom policy. You can ask your external API-Client/Consumer to paas in credentials in heaser, and then you write a policy inside inbound to can read those user credentials and do a API request (similar to your postman) and get the access token. You can then append the same token and let your request gets forwarded to backend API.
As per your problem statement, this should work. In case not, you might have to explain your scenario with more description/steps.
Here are some of the reference materials for you, I hope it helps.
https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#SendRequest
https://learn.microsoft.com/en-us/azure/api-management/api-management-sample-send-request
Postman has a luxury of a human user seeing the UI and authorizing API access and IdentityServer4 to issue a token for Postman. There is no such luxury when call is being processed by APIM server, as you could send request for token to IdentityServer4, but who would be presented UI to authorize the action?
The only way is to provision some sort of secret to APIM (header, query, certificate) that would be recognized by IdentityServer4 to allow it issuing tokens for APIM. If such secred is available you could use send-request policy to make a call to IdentityServer4 and obtain required token.
Or make sure that every request to APIM has a token already.

JWT handling with WSO2-AM

we plan to introduce an API management solution and we're currently setting up a proof of concept with WSO2 AM. We want to use the WSO2 API gateway to check whether a certain consumer application is allowed to use an API and to throttle the request rate.
I work on the identity workflow and I wonder how a consuming application can pass a JWT token to the backend service with WSO2-AM in between.
First, this is our current scenario:
Without API gateway
The consuming application gets a JWT token for its carbon user from an identity provider. The JWT contains some claims about the user, e.g. the roles he/she belongs to.
The app calls the service an passes the JWT token in the Authorization HTTP header like: Authorization: Bearer
The service validates the issuer and signature of the JWT and retrieves the claims from it.
So, this is pretty straight forward. Now we put an API gateway in between the application and the service:
With API gateway
The consuming application gets a JWT token for its carbon user from an identity provider.
The consuming application uses OAuth2 to get an access token for the following API calls. We can use the client_credentials grant type and simply pass the the client id and client secret. I haven't yet tried it, but we could possibly use the JWT grant type (see https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type) and use the JWT for passing user information to the API gateway.
The API gateway validates the JWT against the public key of the identity provider when using the JWT grant type.
An access token is returned to the app.
The app sends an API request to the gateway and passes the access token in the Authorization HTTP header.
The gateway validates the access token.
The gateway forwards the API request to the service.
And there is my problem: How can the JWT from 1/2. be passed to the service?
There is a documentation for "Passing Enduser Attributes to the Backend Using JWT" (see https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT), but this would introduce a new JWT, issued and signed by WSO2-AM, and I'm not sure, whether this JWT contains all information from the JWT used to create the access token (or even the original JWT).
Another way I could think of is using a custom HTTP header for passing the JWT through the gateway to the service. I cannot use the Authorization header (as we do without the API gateway), because WSO2-AM expects the access token in that header.
Since I'm not happy with either solutions, I want to ask the experts: How would you solve this?
Thanks,
Torsten
The only possibility I can think of is to send the JWT token in a custom Header for the backend service.

Retrieve id_token based on access_token in API

We are current building a collection of back-end ASP.NET Core microservices. These services will not be accessed directly from the front-end application, but rather accessed through an ASP.NET Core API gateway. We are using IdentityServer4 for the OpenID Connect server. I have been able to setup the UseJwtBearerAuthentication middleware to have API gateway validate the JWT bearer token (access_token) against IdentityServer4. I would like to be able to have the API gateway inject the id_token, based on the access_token, into the requests made to the back-end services that may need to know the end-user.
Is there a way to configure the JWT middleware to retrieve the id_token when validation the access_token or do I need to manually call the OpenID Connect server in the API gateway?
You don't use id_tokens at APIs - they are for clients.
If you want to have access to certain identity claims, either include them in the access token (by configuring the ScopeClaims on the resource scope), or use the access token to contact the userinfo endoint which in turn will return the identity claims.
The JWT middleware performs standalone verification, it does not contact the identity server to verify or retrieve anything. You'll have to make an additional call.

Custom Http Authorization Header with Spring Security

We are building a Restful service using Grails framework and are providing security for it using Spring Security plugin. I wanted to check with you all on best approach to take when you want to authenticate using Custom Authorization header. More on this approach can be read here
Custom HTTP Authorization Header
In my case, client id and secret is stored in Ldap and header comes with SHA1 encryption. What would be the best approach to implement this using Spring Security?
I have asked same question in Grails mailing list too.
Any insight would be helpful. Thanks.
~Abhi
You have to implement your own Filter, Authentication Provider and Authentication token (to pass data to your Provider).
See:
what is securty filter chain - http://static.springsource.org/spring-security/site/docs/3.0.x/reference/security-filter-chain.html
authentication providers - http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-services.html#core-services-dao-provider
how to register your filter into Spring Secutory Core plugin - http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/16%20Filters.html
and, if you need an example, take a look at some existing authentication subplugins for Spring Security Core - http://grails.org/plugin/spring-security-core
List item
If you are using basic authorization header, then following configuration works for you in context-security.xml file.
< http auto-config="true" use-expressions="true" pattern="/project/api/**">
< intercept-url pattern="/**" access="isFullyAuthenticated()" requires-channel="${security.requires.channel}" method="POST"/>
< custom-filter ref="basicAuthenticationFilter" position="PRE_AUTH_FILTER"/>
< /http>
< beans:bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
< beans:property name="authenticationManager" ref="authenticationManager" />
< beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
< /beans:bean>
I have used same approach for rest services But you need to be careful that whatever scheme you use for encoding username and password, same scheme you should use in filter for decoding 'Authorization' header information. If you are using some custom scheme for encoding 'Authorization' header, then you need to extend 'BasicAuthenticationFilter' and provide appropriate decoding of 'Authorization' header